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We discuss long code problem in the Bennett-Brassard 
1984 (BB84) quantum key distribution protocol and describe 
how they can be overcome by concatenation of the protocol. 
Observing that concatenated modified Lo-Chau protocol fi- 
nally reduces to the concatenated BB84 protocol, we give the 
unconditional security of the concatenated BB84 protocol. 
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I. INTRODUCTION 

Information processing with quantum systems enables 
what seems to be impossible with its classical counterpart 

Quantum key distribution (QKD) PHpUM] is one of 
the most interesting and important quantum informa- 
tion processings. QKD seems to become the first practi- 
cal quantum information processor |u|. Although secu- 
rity of the Bennett-Brassard 1984 (BB84) QKD [g had 
been wi dely conjectured based on the no-cloning theo- 
rem pd|Jl2|| , it is quite recently that its unconditional 
security was shown [ p^JT^ , ^ . In particular, Shor and 
Preskill showed the security of BB84 scheme by el- 
egantly using the connections among several basic ideas 
in quantum information processings, i.e. quantum error 
correcting codes (QECCs) [[l6 17 and entanglement pu- 
rification fllSfl . 



A. Long code problem and concatenated BB84 
protocol 

The Shor-Preskill proof affords security for a certain 
type of BB84 protocol JfEj where we perform error correc- 
tion and privacy amplification by a classical code associ- 
ated with Calderbank-Shor-Steane (CSS) quantum code 
|^6| , p7|Jl9| . For a chosen code and a given error rate of 
the communication channels, Alice (the sender) and Bob 
(the receiver) can calculate Eve's (Eavesdropper's) infor- 
mation on the final key. What Alice and Bob would want 
is to make Eve's information on the whole final key less 
than what they regard as negligible, for example, one bit. 
This can be done by choosing an appropriate code for the 
given error rate. 



However, the Shor-Preskill proof does not place any 
bounds on the amount of effort Alice and Bob must do 
in decoding of the classical error correcting code associ- 
ated with the CSS code |l9| . In particular, when the code 
length is large the decoding is not so simple ]l5| . One 
might say that we need not worry about the problem 
so much because we can do it by a code with a moder- 
ate length. However, we can easily see that it is risky: 
Let us consider case where the number of bits is n and 
the error rate is r (0 < r < 1). Then the probability 
distribution of the error rate will be peaked at r with 
standard deviation a ~ ^/r(l — r)/n. When the number 
of bits n is one thousand and the error rate r is 10%, the 
standard deviation is about 0.949%. This means that 
the probability that the real error rate will be more than 
12.4%(= r + 2.57ct) is 1%. This implies that if they had 
assumed that a channel with 10% error rate is below a 
threshold, say 12.4%, for the one thousand bits, then the 
probability that Alice and Bob will be cheated is 1%. 
Note that this is too high a risk for a cryptographic task 
where we must achieve an exponentially small probabil- 
ity to be cheated. Thus they have to permit large room, 
say 20cr, between the error rate of the channel and the 
threshold. Then the threshold must be larger than 29.0% 
in this case. However, no code is found to work yet if it 
exceeds 26.4% [^0|. Therefore, the number of bits n must 
be large, say one million, in order to obtain the exponen- 
tial security. However, as noted previously, decoding such 
a long code might be a difficult task |lj| . 

On the otherhand, concatenation is a very useful and 
interesting idea in both classical and quantum error cor- 
rections |pi| . In this method, already-encoded-bits are 
used as unit-bits to encode new bits. The itrative pro- 
cesses can be repeated as we like. The more they perform 
the concatenation processes, the shorter encoded bits be- 
comes exponentially. Since the concatenated codes are 
not included in the orginal codes, it is nontrivial one to 
adopt the concatenated codes for certain tasks. For ex- 
ample, it is by using concatenated coding that the fault 
tolerant quantum computation become possible p2[ . 

In this paper, we show that the long code problem 
can be avoided by the idea of using concatenated BB84 
protocol: First, Alice and Bob generate raw keys. Next, 
using a classical codes associated with CSS code they 
perform error correction and privacy amplification on the 
raw keys, as prescribed in the Ref . [jlj| . As a result they 
get first key. The first key is not so much secure (possibly 
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due to the long code problem). They perform the error 
correction and privacy amplification again in the same 
way on the first key and then they obtain the second 
key. They repeat this process until the estimated leaked 
information on the final key is negligible. 

In section II, first we give the concatenated modified 
Lo-Chau protocol. This protocol reduces to the concate- 
nated CSS code protocol that reduces to the concate- 
nated BB84 protocol. In section III, we discuss the secu- 
rity of the concatenated schemes and how the concate- 
nated protocol solves the long code problem. In section 
IV, we give discussion and conclusion. 

B. Notation 

In this paper, we use mostly the notations in Refs. 

The canonical basis of a qubit consists of |0) and |1). 
We define another basis as follows. |0) = (l/v / 2)(|0) + 
|1» and |1) = (l/-v/2)(|0) - |1)). H is the Hadamard 
transform. This transformation interchanges the bases 
|0), |1) and |0), |1). / = ctq is the identity operator and 
o~ x , (Ty, <j z are the Pauli operators. The <J a u) denotes 
the Pauli operator o~ a acting on the i-th qubit where a = 
0, x, y, z. For a binary vector s, we let o~a — < 7 q( 1 )0'*^ ■ 
• • cr„? n )) where Si is the i-th bit of s and <r° = /, a\ = a a . 

The Bell basis are the four maximally entangled state, 
- (1/V2)(|01) ± |10>) and |$±) = (1/V2)(|00) ± 

|H))- 

Let us consider two classical binary codes, C\ and C 2 , 
such that {0} C C 2 C C\ C F 2 " where F£ is the binary 
vector space of the n bits. A set of basis for the CSS 
code can be obtained from vectors v £ C\ as follows, v — > 
(1/|C 2 | 1/2 ) E«, G c 2 \v+w). Note that v\ and v 2 give the 
same vector if v\ — v 2 € C 2 ■ H\ is the parity check matrix 
for the code C\ and H 2 is that for C 2 , the dual of C 2 . 
Q x ,z is a class of QECCs. For v E Ci, the corresponding 
code word is v -> (1/|C 2 | 1/2 ) E^ec^-l)^!^ +v + w). 

II. CONCATENATED BB84 PROTOCOL 

First, we give the concatenated modified Lo-Chau pro- 
tocol. This scheme reduces to the concatenated CSS 
codes protocol that reduces to the concatenated BB84 
protocol. 

We consider a doubly concatenated scheme of the 
[[111, ki, di]] and [[n 2 , k 2 , d 2 ]} CSS codes jl(|[l7). It is clear 
that it can be generalized to multiple-concatenation in 
the same ways. 

Protocol A: Concatenated modified Lo-Chau protocol. 

The first stage: (1) Alice creates 2n\n 2 EPR pairs 
in the state |$+)®( 2 ™i™2). (2) Alice selects a random 
(2niri2)-bit string b. She performs a Hadamard opera- 
tion on second half of each EPR pair for which the com- 
ponent of b is one. (3) Alice sends the second half of 



each EPR pair to Bob. (4) Bob receives the qubits and 
publically announces this fact. (5) Alice announces the 
bit string b. (6) Bob undoes the Hadamard operations 
in step 2. (7) Alice selects randomly ni7i2 of the 2nin 2 
EPR pairs to serve as check-bits. (8) Alice and Bob each 
measure their halves of the nin 2 check EPR pairs in the 
{|0), |1)} basis and share the results. If too many of these 
measurements disagree, they abort the scheme (9) Alice 
randomly chooses ni unencoded qubits. She repeats this 
until all code bits are used. As a result, she gets n 2 sets 
of code bits whose number of elements is all n\. She an- 
nounces her choices to Bob. (10) For each set, they make 

[rl - [rl 

the measurements of o~ z for each row r € Hi and a x 
for each row r E H 2 of the [[m, fci, di]] CSS code. Alice 
and Bob share the results, compute the syndromes for 
bit and phase flips, and then transforms their state so as 
to obtain k\n 2 once-encoded high-fidelity EPR pairs. 

In the next stage, Alice and Bob do essentially the 
same operations on the kin 2 once-encoded EPR pairs as 
they have done on un-cncodcd EPR pairs in the previous 
stage. 

The second stage: (1) Alice randomly chooses n 2 once- 
encoded qubits. She repeats this until all code bits are 
used. As a result, there are ki sets whose number of ele- 
ments is n 2 . She announces her choices to Bob. (2) For 
each set, Alice and Bob make the measurements of 

[rl 

for each row r € Hi and a x for each row r € H 2 of the 
[[712,^2,(^2]] CSS code. They share the results, compute 
the syndromes for bit and phase flips, and then trans- 
forms their state so as to obtain kik 2 doubly-encoded 
EPR pairs. (3) Alice and Bob measure the EPR pairs 
in the doubly encoded {|0), |1)} basis to obtain fcifo-bit 
final key. □ 

Let us now consider reduction of the protocol. The 
same arguments used in Ref. fl5|| applies here. The dif- 
ference is that they measure the syndrome twice at both 
level of concatenation, that is, un-encoded qubits and 
once-encoded qubits. 

Protocol B: Concatenated CSS code protocol. 

The first stage: (1) Alice creates nin 2 random check 
bits and a random (2nin 2 )-bit string b. (2) Alice chooses 
n 2 rii-bit string Xi and Zi at random (i — 1, 2, n 2 ). (3) 
Alice prepares kin 2 once-encoded bits in a state 1 00 • • • 0) 
using [[ni, fci, c?i]] CSS code Q Xi ,zi- 

The second stage: (1) Alice creates a random k\k 2 - 
bit key-string k' . (2) Alice chooses ki ri2-bit string x'j 
and z'j at random (j = 1, 2, ki). (3) Alice encodes 
her key \k') using the once-encoded qubits prepared in 
the step 3 of the first stage with the [[712,^2,^2]] CSS 
code Q x i z i . (4) Alice randomly chooses ni?i 2 positions 
out of 2ni7i2 and puts the unencoded check bits in these 
positions. She randomly permutes the qubits of the dou- 
bly encoded code bits of the previous step. She puts 
them in the remaining positions. (5) Alice performs the 
Hadamard operation on each qubit for which the com- 
ponent of b is one. (6) Alice sends the resulting state 
to Bob. Bob acknowledge the receipt of the qubits. (7) 
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Alice announces the string b, the positions and values of 
unencoded check bits, the random permutation and each 
and x'p Zj. (8) Bob undoes the Hadamard oper- 
ation and random permutation. (9) Bob measures un- 
encoded check-bits in the {|0), |1)} basis and announces 
the results to Alice. If too many of these measurements 
disagree, they abort the scheme. (10) Bob measures the 
qubits in the doubly encoded {|0),|1)} basis to obtain 
ftifo-bit final key with near-perfect security. □ 

Let us consider reduction of the concatenated CSS code 
protocol to the concatenated BB84 protocol. We can ap- 
ply the same arguments used in Ref. jl5| . The difference 
is that reductions process involved with Eq. (4) in Ref. 
jl5| are performed twice at both level of concatenation. 

Protocol C: Concatenated BB84 protocol. 

The first stage: (1) Alice creates 4niri2(l + 5) random 
bits. (2) Alice chooses a random 4ni7i2(l + 5)-bit string 
b. For each bit, she creates a state in the {|0), |1)} and 
{|0),|1)} basis, if the corresponding component of the 
bit b is zero and one, respectively. (3) Alice sends the 
resulting qubits to Bob. (4) Bob receives the 4nin 2 (l + 
5) qubits, measuring each in the {|0), |1)} and {|0), |1)} 
basis at random. (5) Alice announces b. (6) Bob discards 
any results where he measured a different basis than Alice 
prepared. With high probability, there are at least 2n\ni 
bits left. Alice decides randomly on a set of 2mrt2 bits to 
use for the protocol, and chooses at random n\U2 of these 
to be check-bits. (7) Alice and Bob announce the values 
of the their check-bits. If too few of these values agree, 
they abort the protocol. (8) Alice announces u + v, where 
v is a string consisting of randomly chosen code-bits, and 
u is a random code word in C\ of the [[m, fci, rfi]] code. 
Alice announces the n\ positions of the randomly chosen 
code-bits. (9) Repeat the previous step n-i times, until 
all code-bits are consumed. (10) Bob subtracts each u + v 
from each of his code-bits, v + e, and corrects the result, 
u + e, to a codeword in C\ of the [[m, k%, dx\] code. (11) 
Alice and Bob use the coset of each u + C2 as the key. In 
this way, they obtain fciri2-bit string. 

The second stage: (1) Alice announces u + v, where v 
is a string consisting of randomly chosen code-bits, and 
u is a random code word in C2 of the [[712, &2, <i 2 ]] code. 
Alice announces the positions of the randomly chosen 
code-bits. (2) Repeat the previous step at k% times, until 
all code-bits are consumed. (3) Bob subtracts each u + v 
from his each code qubits, v + e, and corrects the result, 
u + e, to a codeword in C\ of the [[n 2 , k%, ^2]] code. (4) 
Alice and Bob use the coset of each u + C2 as the key. In 
this way, they obtain fcifc2-bit key. □ 



III. SECURITY OF THE PROTOCOL 

What we want to show is the security of the protocol 
C, the cancatenated BB84 protocol. However, it is suffi- 
cient for us to show the security of the protocol A, since 
the protocol A reduces to the protocol C. Accordingly 



arguments in the following are for the protocol A that 
accompanies entanglement purification. 

The security of modified Lo-Chau protocol is based on 
the idea of random sampling Jl||,^4| : Based on the mea- 
sured error rate in the check-bits, Alice and Bob estimate 
actual error rate in the code-bits. Since the check-bits 
are randomly chosen, they can do it with a high reliabil- 
ity. Thus they can correct errors with a high reliability. 
(It is not misleading to use notations of QECCs in the 
discussion of entanglement purification because they are 
equivalent to each other here.) 

It is not difficult to intuitively understand how the pro- 
tocol A is secure. When the estimated actual error rate in 
the code-bits is not low enough, they cannot obtain EPR 
pairs with a fidelity that is satisfactorily high. However, 
in most cases the fidelity has become higher. By iter- 
ating the entanglement purification, they can make the 
fidelity become higher and higher. The protocol A is se- 
cure when EPR pairs have high enough fidelity, since the 
almost perfect fidelity implies the almost perfect secu- 
rity |^5|, 15| . This is indeed the original idea of quantum 



privacy amplification |26|. 

Let us give a more detailed description. The probabil- 
ity distribution of the number of actual errors forms an 
approximate Gaussian distribution whose deviation de- 
pends on the length of code. The longer the codes is, the 
smaller the deviation is. A rigorous relavant equation re- 
garding random sampling for this estimation is given in 
Ref. p4j. Let us consider the example considered in in- 
troduction. The error rate r is 10%. The number of code- 
bits n is one thousand and thus the standard deviation 
is about 0.949%. This means that the probability that 
the real error rate will be less than 12.4%(= r + 2.57<r) is 
99%. Therefore, if the threshold of the error correcting 
code is greater than 12.4%, the error rate of purified EPR 
pairs will be less than 1%, that is much smaller than the 
original error rate 10%. By repeating this operation, the 
fidelity can be made arbitrily small. Let us estimate how 
error rate r decreases with iteration of purification. For a 
given length of code n, the deviation a is approximately 
proportional to yfr. (See introduction.) Let us denote 
j-th error rate and deviation by and <7j, respectively, 
where i is positive integer. Then we can get a relation 
r i+ i ~ cxp(-T 2 /of ) = exp(— T 2 jr{) when r ~ 0. Here 
constant T is the threshold of the code. We can see that 
i-th error rate n super-exponentially decreases with re- 
spect to i. Fidelity is proportional to 1 — r and thus 
almost perfect fidelity can be obtained. 

In the protocol A, Alice randomly chooses sets of 
qubits to be used for syndrome measurement. This cor- 
responds to random choice of code-bits to be used for 
error correction and privacy amplification (in the step 8 
of the first stage and the step 1 of the second stage) in 
the Protocol C . It should be noted that the randomness 
in the choice is essential in the proposed protocol: The 
error rate is what is averaged for all nin 2 check-bits. 
Unless the choice for the code-bits is random, Eve can 
succesfully cheat by correlating positions of the errors in 
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code-bits. 



IV. CONCLUSION 

In a certain class of BB 84 protocol with proven se- 
curity (ll|, long classical error correcting codes are de- 
sired in order to obtain sufficient security. However, it 
is not easy to decode long codes. If they use interme- 
diate length codes they cannot obtain enough security. 
We have shown that this long code problem can be re- 
solved by concatenation of the BB 84 protocol. We have 
shown the security of the concatenated BB84 protocol: 
The concatenated BB84 protocol can be derived from 
the concatenated modified Lo-Chau protocol. We have 
described how the latter protocol is secure. 
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